From 1c4d02455bbbbb1de77eb0dafe9081173faab377 Mon Sep 17 00:00:00 2001
From: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Date: Wed, 3 Feb 2016 16:11:09 -0800
Subject: [PATCH] add non-root passwd functionality

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
---
 cmd/notary/integration_test.go | 23 +++++++++++++++++++++--
 cmd/notary/keys.go             | 22 +++++++++++++++-------
 cmd/notary/keys_test.go        |  2 +-
 3 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/cmd/notary/integration_test.go b/cmd/notary/integration_test.go
index e176556d7e..86613910b0 100644
--- a/cmd/notary/integration_test.go
+++ b/cmd/notary/integration_test.go
@@ -1169,17 +1169,36 @@ func TestClientKeyPassphraseChange(t *testing.T) {
 	server := setupServer()
 	defer server.Close()
 
+	target := "sdgkadga"
+	tempFile, err := ioutil.TempFile("/tmp", "targetfile")
+	assert.NoError(t, err)
+	tempFile.Close()
+	defer os.Remove(tempFile.Name())
+
 	// -- tests --
-	_, err := runCommand(t, tempDir, "-s", server.URL, "init", "gun1")
+	_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun1")
 	assert.NoError(t, err)
 
 	// we should have three keys stored locally in total: root, targets, snapshot
-	rootIDs, _ := assertNumKeys(t, tempDir, 1, 2, true)
+	rootIDs, signingIDs := assertNumKeys(t, tempDir, 1, 2, true)
+	for _, keyID := range signingIDs {
+		// try changing the private key passphrase
+		_, err = runCommand(t, tempDir, "-s", server.URL, "key", "passwd", keyID)
+		assert.NoError(t, err)
+
+		// assert that the signing keys (number and IDs) didn't change
+		_, signingIDs = assertNumKeys(t, tempDir, 1, 2, true)
+		assert.Contains(t, signingIDs, keyID)
+
+		// make sure we can still publish with this signing key
+		assertSuccessfullyPublish(t, tempDir, server.URL, "gun1", target, tempFile.Name())
+	}
 
 	// only one rootID, try changing the private key passphrase
 	rootID := rootIDs[0]
 	_, err = runCommand(t, tempDir, "-s", server.URL, "key", "passwd", rootID)
 	assert.NoError(t, err)
+
 	// make sure we can init a new repo with this key
 	_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun2")
 	assert.NoError(t, err)
diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go
index e651823535..353ec750c0 100644
--- a/cmd/notary/keys.go
+++ b/cmd/notary/keys.go
@@ -78,8 +78,8 @@ var cmdKeyRemoveTemplate = usageTemplate{
 
 var cmdKeyPasswdTemplate = usageTemplate{
 	Use:   "passwd [ keyID ]",
-	Short: "Changes the passphrase for the root key with the given keyID.",
-	Long:  "Changes the passphrase for the root key with the given keyID.  Will require validation of the old passphrase.",
+	Short: "Changes the passphrase for the key with the given keyID.",
+	Long:  "Changes the passphrase for the key with the given keyID.  Will require validation of the old passphrase.",
 }
 
 type keyCommander struct {
@@ -502,7 +502,7 @@ func (k *keyCommander) keyRemove(cmd *cobra.Command, args []string) error {
 func (k *keyCommander) keyPassphraseChange(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		cmd.Usage()
-		return fmt.Errorf("must specify the key ID of the root key to change the passphrase of")
+		return fmt.Errorf("must specify the key ID of the key to change the passphrase of")
 	}
 
 	config, err := k.configGetter()
@@ -521,18 +521,26 @@ func (k *keyCommander) keyPassphraseChange(cmd *cobra.Command, args []string) er
 		return fmt.Errorf("invalid key ID provided: %s", keyID)
 	}
 
-	// We only allow for changing the root key, so use no gun
-	cs := cryptoservice.NewCryptoService("", ks...)
+	// Find the key's GUN by ID, in case it is a non-root key
+	var keyGUN string
+	for _, store := range ks {
+		for keypath := range store.ListKeys() {
+			if filepath.Base(keypath) == keyID {
+				keyGUN = filepath.Dir(keypath)
+			}
+		}
+	}
+	cs := cryptoservice.NewCryptoService(keyGUN, ks...)
 	privKey, role, err := cs.GetPrivateKey(keyID)
 	if err != nil {
-		return fmt.Errorf("could not retrieve local root key for key ID provided: %s", keyID)
+		return fmt.Errorf("could not retrieve local key for key ID provided: %s", keyID)
 	}
 
 	// Must use a different passphrase retriever to avoid caching the
 	// unlocking passphrase and reusing that.
 	passChangeRetriever := k.getRetriever()
 	keyStore, err := trustmanager.NewKeyFileStore(config.GetString("trust_dir"), passChangeRetriever)
-	err = keyStore.AddKey(keyID, role, privKey)
+	err = keyStore.AddKey(filepath.Join(keyGUN, keyID), role, privKey)
 	if err != nil {
 		return err
 	}
diff --git a/cmd/notary/keys_test.go b/cmd/notary/keys_test.go
index d4ee5596f8..95bf0979cd 100644
--- a/cmd/notary/keys_test.go
+++ b/cmd/notary/keys_test.go
@@ -431,5 +431,5 @@ func TestChangeKeyPassphraseNonexistentID(t *testing.T) {
 	// Valid ID size, but does not exist as a key ID
 	err := k.keyPassphraseChange(&cobra.Command{}, []string{strings.Repeat("x", notary.Sha256HexSize)})
 	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "could not retrieve local root key for key ID provided")
+	assert.Contains(t, err.Error(), "could not retrieve local key for key ID provided")
 }